as/400 v4r2 NAT - IBM AS400

This is a discussion on as/400 v4r2 NAT - IBM AS400 ; I have a v4r2 as/400 server with the telnet service and ftp the service
enabled.
I can access these services perfectly from my intranet, however, when I
tell my router, to show (forward) this services to the world, they
don't ...

as/400 v4r2 NAT

I have a v4r2 as/400 server with the telnet service and ftp the service
enabled.

I can access these services perfectly from my intranet, however, when I
tell my router, to show (forward) this services to the world, they
don't work.

I've tested another machine (windows 2000), and installed the telnet
server there (KTS, real nice), everything worked just fine. (so it's
not the router's fault)

My guess is that the AS/400 security policy doesn't let me access the
information from arround the world, just the intranet.

I have full access privileges to this machine (QSECOFR, QSECADM), but I
have no clue on to where to set this value (to let people from the
outside log in).

I need this so I can give remote access trough client access, spooling
services, etc, to people outside my intranet.

Should I use a VPN ?.
--
Any help will be greatly appreciated.

Anything will do

Seriously people, we are kinda desperate arround here!

HELP!

Re: as/400 v4r2 NAT

On 14 Dec 2006 06:02:42 -0800, "fel" wrote:
>I have a v4r2 as/400 server with the telnet service and ftp the service
>enabled.
>
>I can access these services perfectly from my intranet, however, when I
>tell my router, to show (forward) this services to the world, they
>don't work.
>
>I've tested another machine (windows 2000), and installed the telnet
>server there (KTS, real nice), everything worked just fine. (so it's
>not the router's fault)
>
>My guess is that the AS/400 security policy doesn't let me access the
>information from arround the world, just the intranet.
>
>I have full access privileges to this machine (QSECOFR, QSECADM), but I
>have no clue on to where to set this value (to let people from the
>outside log in).
>
>I need this so I can give remote access trough client access, spooling
>services, etc, to people outside my intranet.

The ports required for FTP are 20 and 21.
The port you need to open for telnet is 23.

But if your Windows box is working then that's not the issue.

Using CFGTCP, check option 2 and make sure that the next hop is
pointing to your router.
>Should I use a VPN ?.

Once you get it working, yes.

Having said that, I have machines with open FTP ports, but they have
an exit program that will only allow a certain user/pwd combo to gain
access. If the user/pwd combo is non-trivial, that makes it pretty
secure. I see people trying to hack said machines all the time (once
for 24 hours straight!) but without the user/pwd they're not getting
in.

You could probably extrapolate that concept to Telnet as well. If
you're not using any default user/pwd combos then you're fairly safe
there too. Use the ANZDFTPWD command to see if you have any problems.

Keep in mind that without a VPN, your data is being sent in the open.
Which for most folks isn't too big a show stopper. If I understand
the technology correctly, someone would have to tap your phone line in
order to see the data. Most of us aren't important enough for someone
to go to that effort.

Re: as/400 v4r2 NAT

Scott Coffey wrote:
> On 14 Dec 2006 06:02:42 -0800, "fel" wrote:
>
> >I have a v4r2 as/400 server with the telnet service and ftp the service
> >enabled.
> >
> >I can access these services perfectly from my intranet, however, when I
> >tell my router, to show (forward) this services to the world, they
> >don't work.
> >
> >I've tested another machine (windows 2000), and installed the telnet
> >server there (KTS, real nice), everything worked just fine. (so it's
> >not the router's fault)
> >
> >My guess is that the AS/400 security policy doesn't let me access the
> >information from arround the world, just the intranet.
> >
> >I have full access privileges to this machine (QSECOFR, QSECADM), but I
> >have no clue on to where to set this value (to let people from the
> >outside log in).
> >
> >I need this so I can give remote access trough client access, spooling
> >services, etc, to people outside my intranet.
>
> The ports required for FTP are 20 and 21.
> The port you need to open for telnet is 23.
>
> But if your Windows box is working then that's not the issue.
>

correct.
> Using CFGTCP, check option 2 and make sure that the next hop is
> pointing to your router.
>

It's sad for me to see how litle I know about these topics.
the internet used to be fun when I was just a user, and didn't know
anything about how it works.

now its my duty to know how some parts of it works...

for instance, this part:

ADDTCPRTE

you tell me that I should put in next hop field the router address.
but I dobn't know what to put in the other fields,
various experiments prove futile.

please help.

> >Should I use a VPN ?.
>
> Once you get it working, yes.
>
> Having said that, I have machines with open FTP ports, but they have
> an exit program that will only allow a certain user/pwd combo to gain
> access. If the user/pwd combo is non-trivial, that makes it pretty
> secure. I see people trying to hack said machines all the time (once
> for 24 hours straight!) but without the user/pwd they're not getting
> in.
>
> You could probably extrapolate that concept to Telnet as well. If
> you're not using any default user/pwd combos then you're fairly safe
> there too. Use the ANZDFTPWD command to see if you have any problems.
>
> Keep in mind that without a VPN, your data is being sent in the open.
> Which for most folks isn't too big a show stopper. If I understand
> the technology correctly, someone would have to tap your phone line in
> order to see the data.

wasn't SNA encrypted?
> Most of us aren't important enough for someone
> to go to that effort.

Re: as/400 v4r2 NAT

fel wrote:
> Scott Coffey wrote:
> > On 14 Dec 2006 06:02:42 -0800, "fel" wrote:
> >
> > >I have a v4r2 as/400 server with the telnet service and ftp the service
> > >enabled.
> > >
> > >I can access these services perfectly from my intranet, however, when I
> > >tell my router, to show (forward) this services to the world, they
> > >don't work.
> > >
> > >I've tested another machine (windows 2000), and installed the telnet
> > >server there (KTS, real nice), everything worked just fine. (so it's
> > >not the router's fault)
> > >
> > >My guess is that the AS/400 security policy doesn't let me access the
> > >information from arround the world, just the intranet.
> > >
> > >I have full access privileges to this machine (QSECOFR, QSECADM), but I
> > >have no clue on to where to set this value (to let people from the
> > >outside log in).
> > >
> > >I need this so I can give remote access trough client access, spooling
> > >services, etc, to people outside my intranet.
> >
> > The ports required for FTP are 20 and 21.
> > The port you need to open for telnet is 23.
> >
> > But if your Windows box is working then that's not the issue.
> >
>
> correct.
>
> > Using CFGTCP, check option 2 and make sure that the next hop is
> > pointing to your router.
> >
>
> It's sad for me to see how litle I know about these topics.
> the internet used to be fun when I was just a user, and didn't know
> anything about how it works.
>
> now its my duty to know how some parts of it works...
>
> for instance, this part:
>
>
> ADDTCPRTE
>
> you tell me that I should put in next hop field the router address.
> but I dobn't know what to put in the other fields,
> various experiments prove futile.
>
> please help.
>
>
> > >Should I use a VPN ?.
> >
> > Once you get it working, yes.
> >
> > Having said that, I have machines with open FTP ports, but they have
> > an exit program that will only allow a certain user/pwd combo to gain
> > access. If the user/pwd combo is non-trivial, that makes it pretty
> > secure. I see people trying to hack said machines all the time (once
> > for 24 hours straight!) but without the user/pwd they're not getting
> > in.
> >
> > You could probably extrapolate that concept to Telnet as well. If
> > you're not using any default user/pwd combos then you're fairly safe
> > there too. Use the ANZDFTPWD command to see if you have any problems.
> >
> > Keep in mind that without a VPN, your data is being sent in the open.
> > Which for most folks isn't too big a show stopper. If I understand
> > the technology correctly, someone would have to tap your phone line in
> > order to see the data.
>
> wasn't SNA encrypted?
>
> > Most of us aren't important enough for someone
> > to go to that effort.

thanks, it seems to work now, lots of testing to be done...

Re: as/400 v4r2 NAT

On 14 Dec 2006 08:55:43 -0800, "fel" wrote:
>
>fel wrote:
>> Scott Coffey wrote:
>> > On 14 Dec 2006 06:02:42 -0800, "fel" wrote:
>> >
>> > >I have a v4r2 as/400 server with the telnet service and ftp the service
>> > >enabled.
>> > >
>> > >I can access these services perfectly from my intranet, however, when I
>> > >tell my router, to show (forward) this services to the world, they
>> > >don't work.
>> > >
>> > >I've tested another machine (windows 2000), and installed the telnet
>> > >server there (KTS, real nice), everything worked just fine. (so it's
>> > >not the router's fault)
>> > >
>> > >My guess is that the AS/400 security policy doesn't let me access the
>> > >information from arround the world, just the intranet.
>> > >
>> > >I have full access privileges to this machine (QSECOFR, QSECADM), but I
>> > >have no clue on to where to set this value (to let people from the
>> > >outside log in).
>> > >
>> > >I need this so I can give remote access trough client access, spooling
>> > >services, etc, to people outside my intranet.
>> >
>> > The ports required for FTP are 20 and 21.
>> > The port you need to open for telnet is 23.
>> >
>> > But if your Windows box is working then that's not the issue.
>> >
>>
>> correct.
>>
>> > Using CFGTCP, check option 2 and make sure that the next hop is
>> > pointing to your router.
>> >
>>
>> It's sad for me to see how litle I know about these topics.
>> the internet used to be fun when I was just a user, and didn't know
>> anything about how it works.
>>
>> now its my duty to know how some parts of it works...
>>
>> for instance, this part:
>>
>>
>> ADDTCPRTE
>>
>> you tell me that I should put in next hop field the router address.
>> but I dobn't know what to put in the other fields,
>> various experiments prove futile.
>>
>> please help.
>>
>>
>> > >Should I use a VPN ?.
>> >
>> > Once you get it working, yes.
>> >
>> > Having said that, I have machines with open FTP ports, but they have
>> > an exit program that will only allow a certain user/pwd combo to gain
>> > access. If the user/pwd combo is non-trivial, that makes it pretty
>> > secure. I see people trying to hack said machines all the time (once
>> > for 24 hours straight!) but without the user/pwd they're not getting
>> > in.
>> >
>> > You could probably extrapolate that concept to Telnet as well. If
>> > you're not using any default user/pwd combos then you're fairly safe
>> > there too. Use the ANZDFTPWD command to see if you have any problems.
>> >
>> > Keep in mind that without a VPN, your data is being sent in the open.
>> > Which for most folks isn't too big a show stopper. If I understand
>> > the technology correctly, someone would have to tap your phone line in
>> > order to see the data.
>>
>> wasn't SNA encrypted?
>>
>> > Most of us aren't important enough for someone
>> > to go to that effort.
>
>
>
>
>thanks, it seems to work now, lots of testing to be done...